US8379850B1ActiveUtility
Method and integrated circuit for secure encryption and decryption
Est. expiryOct 8, 2030(~4.2 yrs left)· nominal 20-yr term from priority
Inventors:Brendan K. BridgfordStephen M. TrimbergerJason J. MooreEdward S. PetersonJames D. WesselkamperJohn Hoffman
H04L 9/0822H04L 9/003H04L 9/0637
84
PatentIndex Score
9
Cited by
10
References
17
Claims
Abstract
In one embodiment, a cryptographic device is provided. The cryptographic device includes a persistent memory and a decryption control circuit coupled to the persistent memory. The decryption control circuit is configured to receive an encrypted data stream and decrypt a first portion of the encrypted data stream using a first cryptographic key stored in the persistent memory, the first portion including a second cryptographic key. The decryption circuit is configured to decrypt a second portion of the encrypted data stream using the second cryptographic key, the second portion of the encrypted data stream including payload data.
Claims
exact text as granted — not AI-modified1. A method for secure configuration of a programmable integrated circuit (IC), comprising:
inputting a configuration bitstream to the programmable IC, the programmable IC having a first cryptographic key stored in a persistent memory, the configuration bitstream having a first portion that is encrypted with the first cryptographic key and that includes a second cryptographic key, and the configuration bitstream having a second portion encrypted with the second cryptographic key;
decrypting the encrypted first portion of the configuration bitstream using the first cryptographic key on the programmable IC;
obtaining the second cryptographic key from the decrypted first portion of the configuration bitstream;
decrypting the encrypted second portion of the configuration bitstream by the programmable IC using the second cryptographic key obtained from the decrypted first portion of the configuration bitstream; and
storing configuration data from the decrypted second portion of configuration bitstream in configuration memory of the programmable IC, wherein:
the configuration bitstream includes a key address of the persistent memory corresponding to the first cryptographic key in the configuration bitstream;
at least a second decryption key is stored in the persistent memory of the programmable IC; and
decrypting the encrypted first portion of the configuration bitstream with the first cryptographic key includes retrieving the first cryptographic key from a location of the persistent memory indicated by the key address.
2. The method of claim 1 , wherein the configuration bitstream includes a third portion and a fourth portion, the third portion encrypted with the first cryptographic key and including a third cryptographic key, and the fourth portion encrypted with the third cryptographic key and including configuration data, the method further comprising:
decrypting the encrypted third portion of the configuration bitstream using the first cryptographic key;
decrypting the encrypted fourth portion of the configuration bitstream using the third cryptographic key from the decrypted third portion of the configuration bitstream; and
storing the decrypted configuration data from the decrypted fourth portion of the configuration bitstream in the configuration memory of the programmable IC.
3. The method of claim 1 , further comprising
storing configuration data from the decrypted first portion of configuration bitstream in the configuration memory of the programmable IC.
4. The method of claim 1 , wherein the first portion of the configuration bitstream includes a cipher text block length value indicative of lengths of cipher blocks in the configuration bitstream.
5. The method of claim 4 , wherein the decrypting of the encrypted second portion of the configuration bitstream with the second cryptographic key from the decrypted first portion of the configuration bitstream includes:
selecting a block of the input configuration bitstream following the first portion of the configuration bitstream, the selected block having a length equal to the cipher text block length value; and
decrypting the selected block using the second cryptographic key.
6. The method of claim 1 , wherein the configuration bitstream includes a third portion encrypted with the second cryptographic key, the method further comprising:
decrypting the encrypted third portion of the configuration bitstream using the second cryptographic key; and
storing decrypted configuration data from the decrypted third portion of configuration bitstream in the configuration memory of the programmable IC.
7. The method of claim 6 , wherein:
the second and third portions of the configuration bitstream are adjacent portions of the configuration bitstream; and
each of the second and third portions of the configuration bitstream has a length equal to a cipher text block length.
8. The method of claim 1 , wherein the second portion of the configuration bitstream includes a third cryptographic key and the configuration bitstream includes a third portion encrypted with the second cryptographic key, the third portion of the configuration bitstream includes configuration data, the method further comprising:
decrypting the encrypted third portion of the configuration bitstream using the second cryptographic key from the decrypted second portion of the configuration bitstream; and
storing the decrypted configuration data from the decrypted third portion of the configuration bitstream in the configuration memory of the programmable IC.
9. The method of claim 1 , wherein the programmable IC is configured to selectively prevent readout of the persistent memory.
10. The method of claim 1 , wherein the configuration bitstream includes a third portion encrypted with a third cryptographic key, the third portion of the configuration bitstream including configuration data, the third portion of the configuration bitstream located after the first portion and prior to the second portion in the configuration bitstream, the method further comprising:
decrypting the encrypted third portion of the configuration bitstream using the third cryptographic key after the decrypting of the first portion of the configuration bitstream and prior to the decrypting of the second portion of the configuration bitstream.
11. The method of claim 10 , wherein the third cryptographic key is equal to the first cryptographic key.
12. The method of claim 10 , further comprising performing key expansion of the second cryptographic key concurrently with the decrypting of the third portion of the configuration bitstream.
13. The method of claim 1 , further comprising authenticating the second cryptographic key after decryption of the first portion of the configuration bitstream.
14. A cryptographic device, comprising:
a persistent memory; and
a decryption circuit coupled to the persistent memory, the decryption circuit configured to:
receive an encrypted data stream including a plurality of data blocks and a plurality of cryptographic keys exclusive from the plurality of data blocks;
decrypt a first portion of the encrypted data stream using a cryptographic key stored in the persistent memory, the first portion including a first one of the plurality of cryptographic keys;
decrypt a second portion of the encrypted data stream using the first one of the plurality of cryptographic keys, the second portion of the encrypted data stream including a first one of the plurality of data blocks;
decrypt a third portion of the encrypted data stream using the cryptographic key stored in the persistent memory, the third portion of the encrypted data stream including a second one of the plurality of cryptographic keys; and
decrypt a fourth portion of the encrypted data stream using the second one of the plurality of cryptographic keys from the decrypted third portion of the encrypted data stream, the fourth portion of the encrypted data stream including a second one of the plurality of data blocks.
15. The cryptographic device of claim 14 , wherein the decryption circuit is further configured to:
decrypt a third portion of the encrypted data stream using the cryptographic key stored in persistent memory, the third portion of the encrypted data stream including a second one of the plurality of data blocks.
16. A method for encrypting a message, comprising:
inputting an unencrypted message;
generating a plurality of cryptographic keys, the plurality of cryptographic keys not derived from the unencrypted message;
encrypting a first block using a first one of the plurality of cryptographic keys, the first block including a second one of the plurality of cryptographic keys;
encrypting a second block using the second one of the plurality of cryptographic keys, the second block including a first portion of the unencrypted message;
storing the first and second encrypted blocks in a processor-readable medium;
encrypting a third block including a third cryptographic key using the first one of the plurality of cryptographic keys;
encrypting a fourth block including a second portion of the unencrypted message using the third one of the plurality of cryptographic keys; and
storing the third and fourth encrypted blocks along with the first and second encrypted blocks in the computer readable media.
17. The method of claim 16 , wherein the first block includes a second portion of the unencrypted message.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.